Other Blogs

Author: Stefan van Bruggen

After updating Adobe Reader DC on our XenApp 7.15 environment we started seeing the acrord32.exe generating a high amount of CPU usage, causing performance issues for the end-users.

A quick fix was to kill all the acrord32.exe processes that were stuck running in the background, but we couldn’t reproduce the issue with a test account so troubleshooting this turned out to be a bit of a hassle.

It turned out that when starting Adobe Reader, it tries to find the following registry key:[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize]

We were able to confirm this with Sysinternals’ process monitor, in this case the problem didn’t occur because Adobe was able to find the registry key:

If this key doesn’t exist, the process will be stuck in the background using up to 25% CPU per instance.

We created a new action in WEM and pushed the registry key to our users, this solved the problem.

This issue occurs in the following versions of Adobe Reader DC:2019.021.200472019.021.20048

Another script to share, it’s quick and dirty but it does what it’s supposed to do so I might as well share it with whoever needs it.

The script was written for a hosted environment with three customers, each with a seperate test account. The test accounts are disabled at the end of the day by a scheduled task and can be enabled when needed by running this script.

The person running the script fills in the customer name and based on that it enables the right account and gives it a randomly generated password.

I wrote this function for my fellow IT engineer (and brother) Robin van Bruggen who is building a script that allows his co-workers to change the OSDComputerName and AssetTag values for a specified machine without manually manipulating the MDT SQL database.

The script uses the MDTDB module created by Michael Niehaus (which can be found HERE). This module allows you to change pretty much anything you would want to change in the MDT database except for, you’ve guessed it, the asset tag.

Anyway, to keep a long story short, add this to the MDTDB.psm1 file and you’re good to go!

One of our customers was having trouble with autodiscovery not functioning on one of their Exchange 2010 CAS-servers. I was asked to take a look at it and one of the errors in the eventlog stood out in particular:

Could not load file or assembly ‘Microsoft.Exchange.Security, Version=14.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified. (C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover\web.config line 940)

Now, let’s open the web.config file mentioned in the error message. You will most likely see a whole bunch of file:///%ExchangeInstallDir%, and this is exactly what the problem is. In some cases, Exchange is unable to find the installation path using this variable and luckily the fix for this is quite easy.

The Fix

Fire up your favourite text editor, and do a Find&Replace on file:///%ExchangeInstallDir%bin and replace it with file:///C:\Program Files\Microsoft\Exchange Server\V14\bin\ or whatever your installation directory is.

For the Dutch-speaking readers out there who are interested in the AV product I mentioned in my previous blogpost (SentinelOne), I have written a blogpost for the website of my employer De Koning in which I go into a little more detail about SentinelOne.

Well, I don’t think this one needs a lot of introduction because the chances that you haven’t heard about this latest ransomware problem are pretty slim.

So, assuming we all know what it is and what ransomware does, how many people have observed the process in detail?
Sounds like it’s time to take a closer look at what actually happens when a system gets infected.

(Don’t forget to click the screenshots if you want to read the details)

How the test was performed.

In this scenario, I created a Windows 10 Virtual Machine, planted a few decoy files and installed some common applications like Microsoft Office 2016, Mozilla Firefox and 7Zip.

Now, of course we aren’t going to infect this machine and just shut it down again, we want to monitor it and have a way to reclaim control over the VM. To achieve this I used the next-gen AV solution SentinelOne.

SentinelOne is different than regular AV solutions because it does not only look at the hash of the malware files, but instead looks at what it does.

I won’t go into the technical details, perhaps in a future blogpost, so to keep it short: Imagine opening a Word file and the second you do that, it starts creating new processes, modifies registry entries, etc. SentinelOne monitors this behavior and when a certain threshold of suspicious behavior is reached it kills the process and rolls back the changes made by the malware.

Results: What happens when you execute the malware?

I executed the WannaCry ransomware on the VM and configured SentinelOne to only alert instead of killing the process. SentinelOne keeps monitoring the VM and auto-creates a nifty report in the management console.
Keep in mind that at this point, the entire VM has been encrypted and these nice people are offering me the decryption key for bitcoins.

So, this entire process resulted in a .CSV report featuring a small amount of… 17288 rows! I selected a few interesting parts to highlight in this post, let’s start by taking a look at who this bad boy tries to talk to.Friends in Germany and the USA, so no Russian/North-Korean/Chinese/Mordor influence so far.

Onwards to the ‘installation’ of the ransomware, the creators took their time to provide proper customer service and included translations for 28(!) languages to show the payment instructions in:
Next, it downloads the readme-file, the background.jpg to replace the users wallpaper with, the decryptor-tool to fill in the key with after payment, and multiple .bin.gz files.Not visible in this screenshot but interesting nevertheless, it even downloads a TOR browser for you! How nice of them.

Of course, the process would not be complete without deleting shadow copies, stopping services and acquiring persistence on the machine:

And now it starts wreaking havoc, in a time-span of barely two minutes (you read that correct, two. minutes.) it encrypts everything it can find on the machine rendering it completely out of order until the ransom is paid.

Conclusion.

Because SentinelOne is running on the machine, getting rid of the infection was quite simple by issuing a Rollback-command from the management console.
By using this option, SentinelOne rolls back all the changes made by the ransomware and notifies the user that the system has to be rebooted.

After the reboot, the machine is back in it’s original pre-infected state and the infected files are cleaned up.

Of course, in a production environment you would configure SentinelOne to kill the process right away to prevent further damage. You also have the option to disconnect the machine’s network connection and notify the other clients about the infection’s behavior so that they can prevent getting infected themselves as an auto-immune response.

If you are interested in the report containing the raw data, contact me on Twitter (@SvanBr) or shoot me an E-mail.

Last week, Microsoft finally launched the ‘new and improved’ version of TechNet Labs (found here) called Hands-on Labs.

Introduction
In these labs, Microsoft provides you with an Azure-powered live environment you can use to practice their new and current products without the risk of messing up your own systems.
Currently, they provide a pretty wide range of options including Server 2016, Azure, SQL Server and many more. (note: For some reason sorting the labs by newest places the newer products at the last page instead of the first).

Let’s get started, fire up those VMs!

So, let’s start with a randomly chosen lab to see how it all works, shall we? First we pick a lab and view the details:

Looks interesting enough, time to launch the lab and let Azure do it’s magic..

When launching the lab, we get redirected to a new webpage and you get to see a progress window, just to let you know it’s working hard to start your lab. (Wouldn’t want people to think Azure is taking it easy, would we?)

First impressions

Creating and booting up the required VMs was faster than I expected, within a few minutes you are greeted by a short introduction of the lab objective and you are ready to get that knowledge flowing into your mind.

Is it any good?

Based on the short time I spent clicking through a few of the labs, I have to say that I’m very positive about the Hands-on Labs.

The process of launching the labs, creating the VMs and working with the labs is very straightforward and works pretty smooth. I expected this process to take a lot longer, but Microsoft does a good job of providing their users with a fully functioning environment in a very short time.

If they manage to provide new labs before or shortly after the release of new products or product versions, I can see this becoming a must-use tool for exam preparations and a very handy tool to get some hands-on experience with the products you are planning to implement in your own environment.
Conclusion: Very positive first experience, with a lot of potential uses.

Apologies for the direct approach, but after reading your LinkedIn profile I just had to show you this perfect oppertunity at one of my clients!
My client is a young/dynamic/rockstar/IT-ninja/growing/etc. organisation who’s growing fast and is looking for a young/dynamic/rockstar/IT-ninja/superstar/talented [INSERT JOB TITLE].

Now I was wondering if you value career growth, more money, a brand-new car and yourself? Because if you do, you are the one they need.

Let’s talk about this offer over a cup of coffee sometime, I’ll hear from you soon! 🙂

Cheers,

Ricky Recruiter
Recruiting Rockstar
Recruiting Inc.

Sounds familiar, doesn’t it?

It seems like it’s hunting season again for IT recruiters all over the Netherlands, because these kind of messages have become a daily occurrence.

Of course, spelling my name wrong and showing me a job offer that has nothing to do with my experience (I’ve even received an offer for a job as an Oracle Administrator…. really?) is a clear giveaway that they spam multiple people with a copy+paste message.

*Sigh* .. anyway, at least I have a good idea of my market value thanks to these people.

So, after endless delays and procrastination I finally started the path to getting my MCSA certification. (I know, about time after working in IT for almost 9 years..)

Today, I passed the new 70-740 Installation, Storage, and Compute with Windows Server 2016 exam!

It wasn’t easy, the exams for MCSA 2016 just got out of beta so there is an extreme lack of study material available. If you are planning to take this exam soon, I can recommend using the following resources:

Posts navigation

This website uses cookies to track the amount of visitors. This website does not store any personal details, I just want to know which posts are the most popular :) If you continue to use this site I will assume that you accept these cookies (or use a browser plugin like Privacy Badger).Ok